#!/bin/bash
# 基于阿里云最佳实践安全实践的CentOS Linux 7基线标准
# 系统-等保三级-CentOS Linux 7合规基线检查
# author： zhangyu
# time： 2021-06-09

#echo '===============修改密码过期时间'
#sed -i.bak -e 's/^\(PASS_MAX_DAYS\).*/\1   180/' /etc/login.defs \
#  && sed -i.bak -e 's/^\(PASS_MIN_DAYS\).*/\1   7/' /etc/login.defs

# 密码最大最小过期时间
#chage --maxdays 180 root && chage --mindays 7 root

echo "set 密码过期时间 over" && sleep 2 
echo '===============修改密码复杂度限制'
# 设置密码种类
sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf \
  && sed -i 's/# minlen = 9/minlen = 9/g' /etc/security/pwquality.conf

echo "set  密码复杂度限制 over" && sleep 2 
echo '===============修改密码重复限制'
# 密码限制，使用过去使用的密码进行限制
sed -i 's/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/password-auth
sed -i 's/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/system-auth

echo "set 密码重复限制 over" && sleep 2 
echo '===============修改错误登陆限制'
# 最大错误登陆次数
sed -i '/# User/a\auth        required      pam_tally2.so onerr=fail audit silent deny=5 unlock_time=300' /etc/pam.d/password-auth
sed -i '/# User/a\auth        required      pam_tally2.so onerr=fail audit silent deny=5 unlock_time=300' /etc/pam.d/system-auth

echo "set 错误登陆限制 over" && sleep 2 
echo '===============修改会话超时限制'
echo 'export TMOUT=900' >> /etc/profile
echo 'readonly TMOUT' >> /etc/profile
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
echo 'export HISTSIZE=0' >> /etc/profile
source /etc/profile

echo "set 会话超时限制 over" && sleep 2 
echo '===============修改ssh参数，禁止远程登陆'
# 禁止root远程登陆 #ssh超时时间 # 每个连接允许的最大验证尝试次数
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config \
  && sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/ssh/sshd_config \
  && sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config \
  && sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config \
  && sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' /etc/ssh/sshd_config \
  && echo "Protocol 2" >> /etc/ssh/sshd_config \
  && systemctl restart sshd.service

echo "set ssh over" && sleep 2 
echo '===============修改文件权限'
# 修改部分文件权限
chown root:root /etc/hosts.allow \
  && chown root:root /etc/hosts.deny \
  && chmod 644 /etc/hosts.deny  \
  && chmod 644 /etc/hosts.allow \
  && chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow  \
  && chmod 0644 /etc/group  \
  && chmod 0644 /etc/passwd  \
  && chmod 0400 /etc/shadow  \
  && chmod 0400 /etc/gshadow \
  && chown root:root /etc/ssh/sshd_config  \
  && chmod 600 /etc/ssh/sshd_config \
  && chown root:root /etc/profile  \
  && chmod 644 /etc/profile \
  &&   chown root:root /etc/crontab \
  && chmod 400 /etc/crontab \
  && chown -R root:root /var/spool/cron \
  && chmod -R go-rwx /var/spool/cron \
  && chown -R root:root /etc/cron.* \
  && chmod -R go-rwx /etc/cron.* \
  && chown root:root /etc/sysctl.conf \
  && chmod 600 /etc/sysctl.conf

echo "set 文件权限 over" && sleep 2 
echo '===============建立恰当的警告banner'
echo "Authorized uses only. All activity may be monitored and reported." >>/etc/motd
chown root:root /etc/motd
chmod 644 /etc/motd
echo "Authorized uses only. All activity may be monitored and reported." >> /etc/issue
echo "Authorized uses only. All activity may be monitored and reported." >> /etc/issue.net

echo "set 警告banner over" && sleep 2 
echo '===============开启日志审计'
systemctl start auditd && systemctl enable auditd 
systemctl start rsyslog && systemctl enable rsyslog 

echo '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' >> /etc/audit/rules.d/audit.rules

echo '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' >> /etc/audit/audit.rules

echo ' -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity' >> /etc/audit/rules.d/audit.rules

echo ' -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity' >> /etc/audit/audit.rules

echo ' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope' >> /etc/audit/rules.d/audit.rules

echo ' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope' >> /etc/audit/audit.rules

echo "set 日志审计 over" && sleep 2 
echo '===============开启docker日志审计'
cat >> /etc/audit/audit.rules<<EOF
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker
EOF
cat >> /etc/audit/rules.d/audit.rules<<EOF
-w /usr/bin/dockerd -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /etc/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /etc/default/docker -k docker
-w /etc/sysconfig/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/containerd -k docker
-w /usr/sbin/runc -k docker
EOF

echo "set docker日志审计 over" && sleep 2 
echo '===============关闭部分服务'
systemctl stop rpcbind &>/dev/null
systemctl stop rpcbind.socket &>/dev/null
systemctl disable rpcbind.socket &>/dev/null
systemctl disable rpcbind.socket &>/dev/null
systemctl stop postfix && systemctl disable postfix

echo "set 关闭部分服务 over" && sleep 2 
echo '===============开启系统日志压缩,保留4个文件（1个月）'
sed -i 's/\#compress/compress/g' /etc/logrotate.conf \
  && sed -i 's/rotate 1/rotate 4/g' /etc/logrotate.conf \
  && sed -i 's/monthly/weekly/g' /etc/logrotate.conf

echo "set 系统日志压缩 over" && sleep 2 
echo '===============查看是否安装fail2ban'
which fail2ban-client
if $? != 0; then
  echo "未安装fail2ban 程序，请注意"
fi